There are several use cases where we would require to force snow using a particular credential from store to access a server.
I give a generic use case as an example. Most of the administrators/Info-sec team wouldn’t be happy to give us privileged access to servers during the discovery phase. But later at some point in time when we start doing service mapping or orchestration, privileged access may be required on some servers to accomplish the task. So the team would create and share a new credential for that. ie. now we have two user credentials in the store which has access to a single server.
Now since we have two credentials, one with limited access used for discovery and second with privileged access how will you know which credential is used when?
By default, ServiceNow creates a Credential affinity for all the servers that are discovered successfully. Basically, it is a mapping of Server IP, MID Server, and Credential. ServiceNow checks if there is any mapping in the credential affinity table before trying out all the credentials in store. If an affinity is found it will use that credential first and goes to credential store only when that mapped credential is failed to authenticate.
To force the credential,
- Navigate to the table dscy_credentials_affinity and search with ip address.
- Remove all existing affinity for that IP.
- Create a new affinity with the sysid of credential that you want to use.
Note: If you have a dedicated MID server for orchestration or service mapping, no need to remove the existing affinity. you can create new affinity with that MID server and credential. Make sure that the other credential is not mapped with same MID server.